@oxyhq/services 5.16.34 → 5.16.36

package/src/crypto/signatureService.ts

@@ -4,24 +4,88 @@
  * Handles signing and verification of messages using ECDSA secp256k1.
  * Used for authenticating requests and proving identity ownership.
  * 
- * Note: This service handles SIGNING (requires private key access via KeyManager).
- * For VERIFICATION, use @oxyhq/shared SignatureService instead.
+ * This service provides async methods for cross-platform compatibility (React Native + Node).
+ * For Node.js-only synchronous operations, use the node/signatureService module.
  */
 
-import { ec as EC } from 'elliptic';
 import { KeyManager } from './keyManager';
 import {
+  verifySignatureCore,
+  isValidPublicKey as validatePublicKey,
+  isTimestampFresh,
   buildAuthMessage,
   buildRegistrationMessage,
   buildRequestMessage,
-  getCryptoAdapter,
-  type SignedMessage,
-} from '@oxyhq/shared';
+  shortenPublicKey as shortenKey,
+  getEllipticCurve,
+} from './core';
 
-const ec = new EC('secp256k1');
+// Lazy import for expo-crypto
+let ExpoCrypto: typeof import('expo-crypto') | null = null;
 
-// Re-export shared types
-export type { SignedMessage } from '@oxyhq/shared';
+const ec = getEllipticCurve();
+
+/**
+ * Check if we're in a React Native environment
+ */
+function isReactNative(): boolean {
+  return typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
+}
+
+/**
+ * Check if we're in a Node.js environment
+ */
+function isNodeJS(): boolean {
+  return typeof process !== 'undefined' && process.versions != null && process.versions.node != null;
+}
+
+/**
+ * Initialize expo-crypto module
+ */
+async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
+  if (!ExpoCrypto) {
+    ExpoCrypto = await import('expo-crypto');
+  }
+  return ExpoCrypto;
+}
+
+/**
+ * Compute SHA-256 hash of a string
+ */
+async function sha256(message: string): Promise<string> {
+  // In React Native, always use expo-crypto
+  if (isReactNative() || !isNodeJS()) {
+    const Crypto = await initExpoCrypto();
+    return Crypto.digestStringAsync(
+      Crypto.CryptoDigestAlgorithm.SHA256,
+      message
+    );
+  }
+  
+  // In Node.js, use Node's crypto module
+  // Use Function constructor to prevent Metro bundler from statically analyzing this require
+  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-implied-eval
+    const getCrypto = new Function('return require("crypto")');
+    const crypto = getCrypto();
+    return crypto.createHash('sha256').update(message).digest('hex');
+  } catch (error) {
+    // Fallback to expo-crypto if Node crypto fails
+    const Crypto = await initExpoCrypto();
+    return Crypto.digestStringAsync(
+      Crypto.CryptoDigestAlgorithm.SHA256,
+      message
+    );
+  }
+}
+
+export interface SignedMessage {
+  message: string;
+  signature: string;
+  publicKey: string;
+  timestamp: number;
+}
 
 export interface AuthChallenge {
   challenge: string;
@@ -32,23 +96,39 @@ export interface AuthChallenge {
 export class SignatureService {
   /**
    * Generate a random challenge string (for offline use)
-   * Uses shared crypto adapter
+   * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
    */
   static async generateChallenge(): Promise<string> {
-    const adapter = await getCryptoAdapter();
-    const randomBytes = await adapter.randomBytes(32);
-    return Array.from(randomBytes)
-      .map((b: number) => b.toString(16).padStart(2, '0'))
-      .join('');
+    if (isReactNative() || !isNodeJS()) {
+      // Use expo-crypto for React Native (expo-random is deprecated)
+      const Crypto = await initExpoCrypto();
+      const randomBytes = await Crypto.getRandomBytesAsync(32);
+      return Array.from(randomBytes)
+        .map((b: number) => b.toString(16).padStart(2, '0'))
+        .join('');
+    }
+    
+    // Node.js fallback
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const crypto = getCrypto();
+      return crypto.randomBytes(32).toString('hex');
+    } catch (error) {
+      // Fallback to expo-crypto if Node crypto fails
+      const Crypto = await initExpoCrypto();
+      const randomBytes = await Crypto.getRandomBytesAsync(32);
+      return Array.from(randomBytes)
+        .map((b: number) => b.toString(16).padStart(2, '0'))
+        .join('');
+    }
   }
 
   /**
    * Hash a message using SHA-256
-   * Uses shared crypto adapter
    */
   static async hashMessage(message: string): Promise<string> {
-    const adapter = await getCryptoAdapter();
-    return adapter.sha256(message);
+    return sha256(message);
   }
 
   /**
@@ -61,8 +141,7 @@ export class SignatureService {
       throw new Error('No identity found. Please create or import an identity first.');
     }
 
-    const adapter = await getCryptoAdapter();
-    const messageHash = await adapter.sha256(message);
+    const messageHash = await sha256(message);
     const signature = keyPair.sign(messageHash);
     return signature.toDER('hex');
   }
@@ -73,19 +152,43 @@ export class SignatureService {
    */
   static async signWithKey(message: string, privateKey: string): Promise<string> {
     const keyPair = ec.keyFromPrivate(privateKey);
-    const adapter = await getCryptoAdapter();
-    const messageHash = await adapter.sha256(message);
+    const messageHash = await sha256(message);
     const signature = keyPair.sign(messageHash);
     return signature.toDER('hex');
   }
 
   /**
    * Verify a signature against a message and public key
-   * Uses shared SignatureService for verification
    */
   static async verify(message: string, signature: string, publicKey: string): Promise<boolean> {
-    const { SignatureService: SharedSignatureService } = await import('@oxyhq/shared');
-    return SharedSignatureService.verify(message, signature, publicKey);
+    try {
+      const messageHash = await sha256(message);
+      return verifySignatureCore(messageHash, signature, publicKey);
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Synchronous verification (for Node.js backend)
+   * Uses crypto module directly for hashing
+   * Note: This method should only be used in Node.js environments
+   */
+  static verifySync(message: string, signature: string, publicKey: string): boolean {
+    try {
+      if (!isNodeJS()) {
+        // In React Native, use async verify instead
+        throw new Error('verifySync should only be used in Node.js. Use verify() in React Native.');
+      }
+      // Use Function constructor to prevent Metro bundler from statically analyzing this require
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const crypto = getCrypto();
+      const messageHash = crypto.createHash('sha256').update(message).digest('hex');
+      return verifySignatureCore(messageHash, signature, publicKey);
+    } catch {
+      return false;
+    }
   }
 
   /**
@@ -112,13 +215,11 @@ export class SignatureService {
   /**
    * Verify a signed message object
    * Checks both signature validity and timestamp freshness
-   * Uses shared SignatureService for verification
    */
   static async verifySignedMessage(
     signedMessage: SignedMessage,
     maxAgeMs: number = 5 * 60 * 1000 // 5 minutes default
   ): Promise<boolean> {
-    const { SignatureService: SharedSignatureService, isTimestampFresh } = await import('@oxyhq/shared');
     const { message, signature, publicKey, timestamp } = signedMessage;
 
     // Check timestamp freshness
@@ -128,7 +229,7 @@ export class SignatureService {
 
     // Verify signature
     const messageWithTimestamp = `${message}:${timestamp}`;
-    return SharedSignatureService.verify(messageWithTimestamp, signature, publicKey);
+    return SignatureService.verify(messageWithTimestamp, signature, publicKey);
   }
 
   /**
@@ -154,22 +255,21 @@ export class SignatureService {
 
   /**
    * Verify a challenge response
-   * Uses shared SignatureService for verification
    */
   static async verifyChallengeResponse(
     originalChallenge: string,
     response: AuthChallenge,
     maxAgeMs: number = 5 * 60 * 1000
   ): Promise<boolean> {
-    const { SignatureService: SharedSignatureService } = await import('@oxyhq/shared');
     const { challenge: signature, publicKey, timestamp } = response;
-    return SharedSignatureService.verifyChallengeResponse(
-      publicKey,
-      originalChallenge,
-      signature,
-      timestamp,
-      maxAgeMs
-    );
+
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+      return false;
+    }
+
+    const message = buildAuthMessage(publicKey, originalChallenge, timestamp);
+    return SignatureService.verify(message, signature, publicKey);
   }
 
   /**

package/src/index.ts

@@ -49,9 +49,10 @@ export {
 export type { LanguageMetadata } from './utils/languageUtils';
 
 // Type exports
-// Note: User and LoginResponse should be imported from @oxyhq/shared
 export type {
   OxyConfig,
+  User,
+  LoginResponse,
   Notification,
   Wallet,
   Transaction,

package/src/models/interfaces.ts

@@ -1,12 +1,3 @@
-/**
- * Services Package Interfaces
- * 
- * Package-specific interfaces. For shared models (User, Session, etc.),
- * import directly from @oxyhq/shared:
- * 
- * import { User, LoginResponse, Session } from '@oxyhq/shared';
- */
-
 export interface OxyConfig {
   baseURL: string;
   cloudURL?: string;
@@ -30,8 +21,65 @@ export interface OxyConfig {
   onRequestError?: (url: string, method: string, error: Error) => void;
 }
 
-// Note: User and LoginResponse are in @oxyhq/shared
-// Import them directly: import { User, LoginResponse } from '@oxyhq/shared';
+/**
+ * User Model
+ * 
+ * IMPORTANT: 
+ * - id: MongoDB ObjectId (24 hex characters) - PRIMARY IDENTIFIER for all internal operations
+ * - publicKey: Cryptographic public key (130 hex characters) - LOOKUP KEY for authentication and identity operations
+ * 
+ * Never use publicKey as an ID. Always use id (ObjectId) for:
+ * - Database queries
+ * - Session userId
+ * - Token userId
+ * - Socket room names
+ * - API route parameters (unless explicitly doing publicKey lookup)
+ */
+export interface User {
+  id: string;           // MongoDB ObjectId - PRIMARY IDENTIFIER (always 24 hex chars)
+  publicKey: string;    // Cryptographic public key - LOOKUP KEY (130 hex chars for secp256k1)
+  username: string;
+  email?: string;
+  // Avatar file id (asset id)
+  avatar?: string;
+  // Privacy and security settings
+  privacySettings?: {
+    [key: string]: unknown;
+  };
+  name?: {
+    first?: string;
+    last?: string;
+    full?: string; // virtual, not stored in DB, returned by API
+    [key: string]: unknown;
+  };
+  bio?: string;
+  karma?: number;
+  location?: string;
+  website?: string;
+  createdAt?: string;
+  updatedAt?: string;
+  links?: Array<{
+    title?: string;
+    description?: string;
+    image?: string;
+    link: string;
+  }>;
+  // Social counts
+  _count?: {
+    followers?: number;
+    following?: number;
+  };
+  accountExpiresAfterInactivityDays?: number | null; // Days of inactivity before account expires (null = never expire)
+  [key: string]: unknown;
+}
+
+export interface LoginResponse {
+  accessToken?: string;
+  refreshToken?: string;
+  token?: string; // For backwards compatibility
+  user: User;
+  message?: string;
+}
 
 export interface Notification {
   id: string;
@@ -104,8 +152,17 @@ export interface TransactionResponse {
   transaction: Transaction;
 }
 
-// Note: PaginationInfo and SearchProfilesResponse are in @oxyhq/shared
-// Import them directly: import { PaginationInfo, SearchProfilesResponse } from '@oxyhq/shared';
+export interface PaginationInfo {
+  total: number;
+  limit: number;
+  offset: number;
+  hasMore: boolean;
+}
+
+export interface SearchProfilesResponse {
+  data: User[];
+  pagination: PaginationInfo;
+}
 
 export interface KarmaRule {
   id: string;
@@ -318,6 +375,8 @@ export interface AssetUrlResponse {
 
 export interface AssetDeleteSummary {
   fileId: string;
+  wouldDelete: boolean;
+  affectedApps: string[];
   remainingLinks: number;
   variants: string[];
 }
@@ -435,7 +494,6 @@ export interface AssetUploadProgress {
 }
 
 // Device Session interfaces
-// Note: User type should be imported from @oxyhq/shared
 export interface DeviceSession {
   sessionId: string;
   deviceId: string;
@@ -444,13 +502,7 @@ export interface DeviceSession {
   lastActive: string;
   expiresAt: string;
   isCurrent: boolean;
-  user?: {
-    id: string;
-    publicKey: string;
-    username: string;
-    avatar?: string;
-    [key: string]: unknown;
-  }; // Partial User - import full User type from @oxyhq/shared if needed
+  user?: User;
   createdAt?: string;
 }
 

package/src/node/index.ts

@@ -13,5 +13,8 @@ export { OxyServices, OXY_CLOUD_URL, oxyClient };
 export { Models };  // Export all models as a namespace
 export * from '../models/interfaces'; // Export all models directly
 
+// ------------- Node-Specific Crypto Exports -------------
+export { SignatureService } from './signatureService';
+
 // Default export for consistency or specific use cases if needed
 export default OxyServices;

package/src/node/signatureService.ts

@@ -0,0 +1,126 @@
+/**
+ * Node.js Signature Service
+ * 
+ * Provides synchronous signature operations for Node.js backend.
+ * Uses Node's crypto module for hashing and the shared core for verification.
+ */
+
+import crypto from 'crypto';
+import {
+  verifySignatureCore,
+  isValidPublicKey,
+  isTimestampFresh,
+  buildAuthMessage,
+  buildRegistrationMessage,
+  buildRequestMessage,
+  shortenPublicKey,
+  CHALLENGE_TTL_MS,
+  MAX_SIGNATURE_AGE_MS,
+} from '../crypto/core';
+
+export class SignatureService {
+  /**
+   * Generate a random challenge string
+   */
+  static generateChallenge(): string {
+    return crypto.randomBytes(32).toString('hex');
+  }
+
+  /**
+   * Compute SHA-256 hash of a message (synchronous)
+   */
+  static hashMessage(message: string): string {
+    return crypto.createHash('sha256').update(message).digest('hex');
+  }
+
+  /**
+   * Verify an ECDSA signature (synchronous)
+   * 
+   * @param message - The original message that was signed
+   * @param signature - The signature in DER format (hex encoded)
+   * @param publicKey - The public key (hex encoded, uncompressed)
+   * @returns true if the signature is valid
+   */
+  static verifySignature(message: string, signature: string, publicKey: string): boolean {
+    const messageHash = SignatureService.hashMessage(message);
+    return verifySignatureCore(messageHash, signature, publicKey);
+  }
+
+  /**
+   * Verify an authentication challenge response
+   * 
+   * @param publicKey - The user's public key
+   * @param challenge - The original challenge string
+   * @param signature - The signature of the auth message
+   * @param timestamp - The timestamp when the signature was created
+   * @returns true if the challenge response is valid
+   */
+  static verifyChallengeResponse(
+    publicKey: string,
+    challenge: string,
+    signature: string,
+    timestamp: number
+  ): boolean {
+    // Check timestamp is not too old
+    if (!isTimestampFresh(timestamp, CHALLENGE_TTL_MS)) {
+      return false;
+    }
+
+    // Build the message and verify signature
+    const message = buildAuthMessage(publicKey, challenge, timestamp);
+    return SignatureService.verifySignature(message, signature, publicKey);
+  }
+
+  /**
+   * Verify a registration signature
+   * Signature format: oxy:register:{publicKey}:{timestamp}
+   */
+  static verifyRegistrationSignature(
+    publicKey: string,
+    signature: string,
+    timestamp: number
+  ): boolean {
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, MAX_SIGNATURE_AGE_MS)) {
+      return false;
+    }
+
+    const message = buildRegistrationMessage(publicKey, timestamp);
+    return SignatureService.verifySignature(message, signature, publicKey);
+  }
+
+  /**
+   * Verify a signed request
+   * Used for authenticated API operations
+   */
+  static verifyRequestSignature(
+    publicKey: string,
+    data: Record<string, unknown>,
+    signature: string,
+    timestamp: number
+  ): boolean {
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, MAX_SIGNATURE_AGE_MS)) {
+      return false;
+    }
+
+    const message = buildRequestMessage(publicKey, timestamp, data);
+    return SignatureService.verifySignature(message, signature, publicKey);
+  }
+
+  /**
+   * Validate that a string is a valid public key
+   */
+  static isValidPublicKey(publicKey: string): boolean {
+    return isValidPublicKey(publicKey);
+  }
+
+  /**
+   * Get a shortened display version of a public key
+   */
+  static shortenPublicKey(publicKey: string): string {
+    return shortenPublicKey(publicKey);
+  }
+}
+
+export default SignatureService;

package/src/ui/context/OxyContext.tsx

@@ -11,8 +11,7 @@ import {
 } from 'react';
 import { Platform } from 'react-native';
 import { OxyServices } from '../../core';
-import type { ApiError } from '../../models/interfaces';
-import type { User } from '@oxyhq/shared';
+import type { User, ApiError } from '../../models/interfaces';
 import type { ClientSession } from '../../models/session';
 import { toast } from '../../lib/sonner';
 import { useAuthStore, type AuthState } from '../stores/authStore';

package/src/ui/context/hooks/useAuthOperations.ts

@@ -1,6 +1,5 @@
 import { useCallback } from 'react';
-import type { ApiError } from '../../../models/interfaces';
-import type { User } from '@oxyhq/shared';
+import type { ApiError, User } from '../../../models/interfaces';
 import type { AuthState } from '../../stores/authStore';
 import type { ClientSession, SessionLoginResponse } from '../../../models/session';
 import { DeviceManager } from '../../../utils/deviceManager';

package/src/ui/context/hooks/useLanguageManagement.ts

@@ -1,6 +1,5 @@
 import { useCallback, useEffect, useMemo, useState } from 'react';
-import type { ApiError } from '../../../models/interfaces';
-import type { User } from '@oxyhq/shared';
+import type { ApiError, User } from '../../../models/interfaces';
 import {
   getLanguageMetadata,
   getLanguageName,

package/src/ui/hooks/auth/index.ts

@@ -4,3 +4,5 @@
 export { useUsernameValidation, USERNAME_MIN_LENGTH, USERNAME_REGEX, USERNAME_FORMAT_ERROR, USERNAME_DEBOUNCE_MS } from './useUsernameValidation';
 export type { UsernameValidationResult } from './useUsernameValidation';
 
+
+

package/src/ui/hooks/mutations/useAccountMutations.ts

@@ -1,5 +1,5 @@
 import { useMutation, useQueryClient } from '@tanstack/react-query';
-import type { User } from '@oxyhq/shared';
+import type { User } from '../../../models/interfaces';
 import { queryKeys, invalidateAccountQueries, invalidateUserQueries } from '../queries/queryKeys';
 import { useOxy } from '../../context/OxyContext';
 import { toast } from '../../../lib/sonner';

package/src/ui/hooks/mutations/useServicesMutations.ts

@@ -1,5 +1,5 @@
 import { useMutation, useQueryClient } from '@tanstack/react-query';
-import type { User } from '@oxyhq/shared';
+import type { User } from '../../../models/interfaces';
 import { queryKeys, invalidateSessionQueries } from '../queries/queryKeys';
 import { useOxy } from '../../context/OxyContext';
 import { toast } from '../../../lib/sonner';

package/src/ui/hooks/queries/useAccountQueries.ts

@@ -1,5 +1,5 @@
 import { useQuery, useQueries } from '@tanstack/react-query';
-import type { User } from '@oxyhq/shared';
+import type { User } from '../../../models/interfaces';
 import type { OxyServices } from '../../../core';
 import { queryKeys } from './queryKeys';
 import { useOxy } from '../../context/OxyContext';

package/src/ui/hooks/useLanguageManagement.ts

@@ -1,6 +1,5 @@
 import { useCallback, useEffect, useMemo, useState } from 'react';
-import type { ApiError } from '../../models/interfaces';
-import type { User } from '@oxyhq/shared';
+import type { ApiError, User } from '../../models/interfaces';
 import {
   getLanguageMetadata,
   getLanguageName,

package/src/ui/hooks/useSessionManagement.ts

@@ -1,6 +1,5 @@
 import { useCallback, useMemo, useRef, useState } from 'react';
-import type { ApiError } from '../../models/interfaces';
-import type { User } from '@oxyhq/shared';
+import type { ApiError, User } from '../../models/interfaces';
 import type { ClientSession } from '../../models/session';
 import { mergeSessions, normalizeAndSortSessions, sessionsArraysEqual } from '../../utils/sessionUtils';
 import { fetchSessionsWithFallback, mapSessionsToClient, validateSessionBatch } from '../utils/sessionHelpers';

package/src/ui/index.ts

@@ -81,5 +81,4 @@ export {
 
 // Re-export core services for convenience in UI context
 export { OxyServices } from '../core';
-// Note: User and LoginResponse should be imported from @oxyhq/shared
-export type { ApiError } from '../models/interfaces';
+export type { User, LoginResponse, ApiError } from '../models/interfaces';

package/src/ui/screens/AccountSettingsScreen.tsx

@@ -233,7 +233,7 @@ const AccountSettingsScreen: React.FC<BaseScreenProps & { initialField?: string;
 
                 // Handle locations - convert single location to array format
                 if (finalUser.locations && Array.isArray(finalUser.locations)) {
-                    setLocations(finalUser.locations.map((loc: any, index: number) => ({
+                    setLocations(finalUser.locations.map((loc, index) => ({
                         id: loc.id || `existing-${index}`,
                         name: loc.name,
                         label: loc.label,
@@ -252,17 +252,17 @@ const AccountSettingsScreen: React.FC<BaseScreenProps & { initialField?: string;
 
                 // Handle links - simple and direct like other fields
                 if (finalUser.linksMetadata && Array.isArray(finalUser.linksMetadata)) {
-                    const urls = finalUser.linksMetadata.map((l: any) => l.url);
+                    const urls = finalUser.linksMetadata.map(l => l.url);
                     setLinks(urls);
-                    const metadataWithIds = finalUser.linksMetadata.map((link: any, index: number) => ({
+                    const metadataWithIds = finalUser.linksMetadata.map((link, index) => ({
                         ...link,
                         id: link.id || `existing-${index}`
                     }));
                     setLinksMetadata(metadataWithIds);
                 } else if (Array.isArray(finalUser.links)) {
-                    const simpleLinks = finalUser.links.map((l: any) => typeof l === 'string' ? l : l.link).filter(Boolean);
+                    const simpleLinks = finalUser.links.map(l => typeof l === 'string' ? l : l.link).filter(Boolean);
                     setLinks(simpleLinks);
-                    const linksWithMetadata = simpleLinks.map((url: string, index: number) => ({
+                    const linksWithMetadata = simpleLinks.map((url, index) => ({
                         url,
                         title: url.replace(/^https?:\/\//, '').replace(/\/$/, ''),
                         description: `Link to ${url}`,
@@ -553,7 +553,7 @@ const AccountSettingsScreen: React.FC<BaseScreenProps & { initialField?: string;
             }
 
             if (currentUser.linksMetadata && Array.isArray(currentUser.linksMetadata)) {
-                setLinksMetadata(currentUser.linksMetadata.map((link: any, index: number) => ({
+                setLinksMetadata(currentUser.linksMetadata.map((link, index) => ({
                     ...link,
                     id: link.id || `existing-${index}`
                 })));

package/src/ui/screens/AccountSwitcherScreen.tsx

@@ -15,7 +15,7 @@ import {
 import type { BaseScreenProps } from '../types/navigation';
 import type { ClientSession } from '../../models/session';
 import { fontFamilies } from '../styles/fonts';
-import type { User } from '@oxyhq/shared';
+import type { User } from '../../models/interfaces';
 import { toast } from '../../lib/sonner';
 import { confirmAction } from '../utils/confirmAction';
 import OxyIcon from '../components/icon/OxyIcon';